libsepol/cil: Do not allow tunable declarations in in-statements

Since tunableifs are resolved before in-statements, do not allow tuanble declarations in in-statements. Since in-statements are the first flavor of statement that causes part of the AST to be copied to another part, there is no need to check the in-statements when resolving the AST. Signed-off-by: James Carter <jwcart2@gmail.com>
sailfishos-mirror · Apr 19, 2021 · ea34dbf · ea34dbf
1 parent f38b7ea
commit ea34dbf
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
@@ -6102,7 +6102,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	}
 
 	if (in != NULL) {
-		if (parse_current->data == CIL_KEY_IN) {
+		if (parse_current->data == CIL_KEY_TUNABLE ||
+			parse_current->data == CIL_KEY_IN) {
 			rc = SEPOL_ERR;
 			cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
 			cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");